WEBVTT - TechStuff Investigates Operation Ghost Click 0:00:00.320 --> 0:00:02.880 Brought to you by the reinvented two thousand twelve camera. 0:00:03.200 --> 0:00:08.960 It's ready. Are you get in touch with technology? With 0:00:09.039 --> 0:00:17.680 tech Stuff from how stuff looks dot com. Hello again, everyone, 0:00:17.720 --> 0:00:21.799 Welcome to tex Stuff. My name is Chris Polett, and 0:00:21.800 --> 0:00:23.920 I'm an editor at how Stuff works dot com. I'm 0:00:24.000 --> 0:00:26.920 trying to crack up the person sitting across from me, 0:00:27.000 --> 0:00:29.800 and that's the person I usually talked to on these podcasts. 0:00:29.840 --> 0:00:32.600 His name is Jonathan Strickler and and he is a 0:00:32.640 --> 0:00:35.760 senior writer here. To get there, you follow Highway fifty 0:00:35.840 --> 0:00:37.920 eight going northeast out of the city, and it is 0:00:37.960 --> 0:00:42.440 a good highway and New all right, We're we're talking 0:00:42.479 --> 0:00:45.360 about numbers today, Yes we are. We're talking about getting 0:00:45.400 --> 0:00:49.160 to where you're going and getting diverted along the way. So, 0:00:49.880 --> 0:00:51.800 as of the recording of this podcast, which is in 0:00:51.960 --> 0:00:56.080 April of there is a story that's actually not a 0:00:56.080 --> 0:00:59.720 news story necessarily. It first started to kind of make 0:00:59.720 --> 0:01:03.240 the New is way back in November, but it's kind 0:01:03.280 --> 0:01:06.640 of sort of bubbled up and it's an operation that 0:01:06.720 --> 0:01:10.520 the FBI, the Federal Bureau of Investigations, has headed up 0:01:10.959 --> 0:01:16.280 and it all involves hacking into the Internet and uh, 0:01:16.360 --> 0:01:21.320 and and messing around with Internet traffic. It's called Operation 0:01:22.200 --> 0:01:26.880 Ghost Click. That's a nice name. I always love hearing 0:01:26.920 --> 0:01:32.280 the operation names. It is a wacky doctors game. So um, 0:01:32.319 --> 0:01:34.720 I think first, before we get into too much detail, 0:01:34.760 --> 0:01:37.959 we should probably talk about how internet traffic works. We've 0:01:37.959 --> 0:01:41.560 mentioned that on the podcast on a handful of occasions. 0:01:41.600 --> 0:01:43.880 I think when in fact we got into the domain 0:01:44.000 --> 0:01:48.920 name system DNS system or sorry that was redundant, the 0:01:49.000 --> 0:01:52.400 d N s uh no was servers um Well are 0:01:52.440 --> 0:01:55.440 both because DNS can can mean both, but right, right, right, 0:01:55.640 --> 0:01:58.279 So yeah, we talked about it before. And basically every 0:01:58.320 --> 0:02:04.200 website has a is um as an address, a physical address, 0:02:04.280 --> 0:02:07.600 well physical address on on a hard drive, a physical 0:02:07.640 --> 0:02:10.800 hard drive somewhere, and these numbers, there are are four 0:02:10.840 --> 0:02:14.960 sets of numbers separated by periods, and that address is 0:02:15.080 --> 0:02:20.560 unique to that um space on that physical hard drive somewhere. 0:02:20.639 --> 0:02:23.560 And so if you typed in UM h T T 0:02:23.680 --> 0:02:27.000 P colon slash slash and these this number, you will 0:02:27.040 --> 0:02:29.960 get to a website. Of course, that's very inconvenient because 0:02:30.000 --> 0:02:31.880 then you either have to write down these numbers or 0:02:31.880 --> 0:02:34.720 bookmark them or you know, yeah, you have to have 0:02:34.800 --> 0:02:38.760 some sort of weird total recall thing going on where 0:02:38.800 --> 0:02:43.600 you can just easily remember any series of numbers, which would, 0:02:43.680 --> 0:02:49.440 uh would would make you incredibly useful, but it would 0:02:49.440 --> 0:02:51.160 also make you very rare. Most of us, most of 0:02:51.240 --> 0:02:55.040 us are just not It's not something humans are particularly 0:02:55.080 --> 0:02:58.720 good at doing on average. So that is what kind 0:02:58.760 --> 0:03:01.200 of gave rise to the idea of having this domain 0:03:01.360 --> 0:03:04.600 name system. Yes, now, domain name system, what it does 0:03:04.800 --> 0:03:08.639 is it allows you to create a domain name as 0:03:08.680 --> 0:03:13.600 in words that correspond to whatever your site is, and 0:03:13.639 --> 0:03:17.720 then that itself is mapped to this series of numbers, 0:03:17.720 --> 0:03:22.160 this i P address right, the i P being Internet 0:03:22.240 --> 0:03:26.240 protocols UM, which is the the language that gets uh, 0:03:26.480 --> 0:03:29.000 you know, you from one place to another on the Internet, 0:03:29.040 --> 0:03:31.840 regardless of whether you're using a Windows machine, Mac or 0:03:31.880 --> 0:03:35.200 Linux or mobile thing. It gets you to the same place. 0:03:35.240 --> 0:03:37.960 And what allows you to type in how stuff works 0:03:38.000 --> 0:03:41.320 dot com and get to our website. Yes, so if 0:03:41.320 --> 0:03:43.600 you were to type how stuff works dot com, what 0:03:43.720 --> 0:03:47.360 happens is that request you know, what you're essentially doing 0:03:47.400 --> 0:03:49.640 is you're telling your browser I want access to this 0:03:49.720 --> 0:03:54.800 particular website. Your browser sends this message along up a 0:03:54.920 --> 0:03:58.640 chain of command, and uh, you know, it has to 0:03:58.680 --> 0:04:02.440 go out to the right computer that has the website 0:04:02.600 --> 0:04:05.880 living on it and retrieve that so that you get 0:04:05.920 --> 0:04:09.400 an instance of it back at your machine. In order 0:04:09.440 --> 0:04:12.920 to do that, it has to first map that what 0:04:13.040 --> 0:04:14.960 needs to have is the name that you're typing. It 0:04:15.000 --> 0:04:19.840 has to be mapped to that physical machine, that physical drive, uh, 0:04:20.120 --> 0:04:23.080 and it does this by going through domain name servers. 0:04:23.400 --> 0:04:25.800 A domain name server is essentially like think of it 0:04:25.920 --> 0:04:29.480 kind of like a phone book. Yeah, so that all 0:04:29.560 --> 0:04:31.600 the different u r l s you could type in 0:04:32.240 --> 0:04:38.599 are indexed against these number numerical addresses. And then that way, 0:04:38.680 --> 0:04:41.000 once you type in the u r L, it looks 0:04:41.040 --> 0:04:46.320 for the corresponding numeric address, pulls information from that that 0:04:46.360 --> 0:04:50.719 particular source, and then serves it back to you so 0:04:50.800 --> 0:04:54.000 that you get what you asked for. Well that you 0:04:54.120 --> 0:04:59.200 asked for it, you got it anyway. So, um, the 0:04:59.760 --> 0:05:02.720 whole deal here is that you are going to get 0:05:02.960 --> 0:05:07.680 the right information assuming that everything's working correctly, and occasionally 0:05:07.720 --> 0:05:10.960 stuff messes up. There might be uh the computer that 0:05:11.000 --> 0:05:13.720 hosts the site might be down, in which case you're 0:05:13.720 --> 0:05:15.599 going to get something like a four or four error 0:05:16.320 --> 0:05:19.440 because the Internet is not going to be able to 0:05:19.480 --> 0:05:22.520 find the file that you've requested. Very sorry, the Internet 0:05:22.600 --> 0:05:25.760 is broken. The elders of the Internet called and they said, 0:05:25.920 --> 0:05:29.839 no more Internet for you. But most of the time 0:05:30.040 --> 0:05:33.760 it's gonna work just fine. However, what happened in the 0:05:33.839 --> 0:05:38.120 case of Operation ghost Click is that, uh, the FBI 0:05:38.240 --> 0:05:43.839 discovered there were some people who had created some rogue 0:05:43.960 --> 0:05:48.200 DNS servers. So, in other words, these get these folks, 0:05:48.560 --> 0:05:53.680 six Estonian nationals, according to the FBI, um got together 0:05:54.320 --> 0:05:58.279 and created these servers that acted just as a domain 0:05:58.360 --> 0:06:01.520 named server would. So in other words, it had a 0:06:01.600 --> 0:06:03.760 collection of u r l s and index of u 0:06:03.839 --> 0:06:08.360 r l s and an index of addresses numeric addresses. 0:06:08.440 --> 0:06:11.280 So it's like a fake phone book, right exactly. Some 0:06:11.440 --> 0:06:14.919 of the entries in this fake phone book went to 0:06:15.240 --> 0:06:20.040 different phone numbers, so instead literally, yeah, but we're since 0:06:20.080 --> 0:06:23.120 we're sticking with the analogy, sticking with that analogy. So 0:06:23.240 --> 0:06:27.200 instead of the official phone number for a particular website, 0:06:27.200 --> 0:06:29.560 you would get a fake one, and it would, in 0:06:29.600 --> 0:06:31.880 other words, that you would go to a fake numeric 0:06:31.920 --> 0:06:35.000 address for a real site, so you might type in 0:06:35.080 --> 0:06:39.240 the address perfect in your u r L bar. Right, 0:06:39.560 --> 0:06:43.200 So let's take a random example let's just say Yahoo. 0:06:43.760 --> 0:06:48.000 So you do www dot Yahoo dot com, you hit enter. Now, normally, 0:06:48.200 --> 0:06:50.760 in a regular DNS server, it would look up that 0:06:50.920 --> 0:06:54.599 you are L, look to see what the numeric address 0:06:54.720 --> 0:06:57.200 is for that u r L, send that information out, 0:06:57.279 --> 0:07:00.159 retrieve the website, and serve it up to you. A 0:07:00.279 --> 0:07:03.240 rogue DNS server would look up that u r L, 0:07:04.160 --> 0:07:07.599 look at the numeric address that was created for that 0:07:07.760 --> 0:07:10.640 u r L. But it isn't actually the address for Yahoo. 0:07:10.640 --> 0:07:14.040 It's an address for something else, and it serves that 0:07:14.240 --> 0:07:17.480 up to you. Now, why would anyone do this? There 0:07:17.480 --> 0:07:19.480 are a couple of different reasons. Now, in the case 0:07:19.560 --> 0:07:23.280 of the Estonians and uh, they were doing something I 0:07:23.360 --> 0:07:28.320 think that was kind of uh deediously clever. They were 0:07:28.360 --> 0:07:32.720 doing this in order to reroute traffic to break in 0:07:33.040 --> 0:07:36.400 advertising money. So, in other words, what they wanted to 0:07:36.440 --> 0:07:39.880 do was the way advertising on the internetworks in general 0:07:40.000 --> 0:07:42.440 is that you get paid for a certain number of 0:07:42.560 --> 0:07:46.120 views of that ad It's called impressions. The number of 0:07:46.160 --> 0:07:50.360 impressions and ad gets that translates to money, And if 0:07:50.400 --> 0:07:52.720 you get lots and lots and lots of impressions, you 0:07:52.760 --> 0:07:55.720 get lots of money. Um. Then in general, a single 0:07:55.720 --> 0:07:59.320 impression is worth a fraction of assent. Yeah, but if 0:07:59.320 --> 0:08:01.720 you can say, hey, you know, I can promise you 0:08:02.080 --> 0:08:04.800 that five million people are going to see your ad, 0:08:04.960 --> 0:08:09.400 then you can command a good price for your services. Right, So, 0:08:09.560 --> 0:08:13.960 very popular websites can tend to charge more than sites 0:08:14.040 --> 0:08:16.720 that don't get a lot of traffic. Makes sense, Right, 0:08:17.080 --> 0:08:18.920 Let's say that you have a billboard next to a 0:08:18.920 --> 0:08:23.239 busy highway. That the price for that billboard to to 0:08:23.240 --> 0:08:25.000 to put it out on that billboard, it's probably gonna 0:08:25.000 --> 0:08:27.520 be higher than a billboard that's next to a rural 0:08:27.640 --> 0:08:30.640 road that doesn't get a lot of traffic. So anyway, 0:08:30.720 --> 0:08:33.360 the same sort of logic applies on on the web. 0:08:33.960 --> 0:08:36.680 So what these guys were doing, I say, guys, what 0:08:36.800 --> 0:08:39.680 these Estonians were doing because I don't know their gender, Uh, 0:08:39.720 --> 0:08:42.760 they were they were using these rogue DNS servers to 0:08:42.880 --> 0:08:47.240 reroute traffic to go to different websites and that had 0:08:47.320 --> 0:08:51.240 specific ads on them that the Estonians were administering, and 0:08:51.240 --> 0:08:52.880 then they were pulling in the money. So they were 0:08:53.320 --> 0:08:57.440 redirecting traffic. It's like putting in a detour in your route, 0:08:57.800 --> 0:09:00.120 and so you're going down your normal route to to 0:09:00.120 --> 0:09:02.760 wherever you're going, and you see a sign and says, oh, nope, 0:09:02.760 --> 0:09:05.280 the road is out up ahead, take a right instead 0:09:05.280 --> 0:09:08.320 of going straight, and you will go through a different route. 0:09:08.520 --> 0:09:10.800 And along that route you decided to stop and eat. 0:09:11.000 --> 0:09:13.200 And normally you would stop and eat at your favorite restaurant, 0:09:13.200 --> 0:09:14.880 but you can't get to that one because it's on 0:09:14.920 --> 0:09:16.880 the road that's been closed. So you go to this 0:09:16.920 --> 0:09:19.480 other restaurant and it all turns out that it was 0:09:19.520 --> 0:09:21.920 employed by the other restaurant in the first place. They 0:09:21.920 --> 0:09:24.679 put that detour sign up because they wanted to get 0:09:24.800 --> 0:09:27.880 some more foot traffic or some more some more diners 0:09:28.080 --> 0:09:31.800 to come in. That was the general plan. Now the 0:09:31.880 --> 0:09:35.959 question is how do you get that rogue DNS server 0:09:36.400 --> 0:09:39.160 to get in the line of traffic so that people 0:09:39.200 --> 0:09:41.560 will visit it in the first place. Yeah, because if 0:09:41.559 --> 0:09:44.640 you're typing in an address that you already know, say 0:09:44.679 --> 0:09:48.720 Discovery dot com, you should theoretically be routed to the 0:09:48.800 --> 0:09:51.160 right place as long as your computer is configured correctly 0:09:51.559 --> 0:09:53.440 and the internet's working the way it's supposed to. I mean, 0:09:53.440 --> 0:09:54.960 what are they gonna do. Are they gonna go in 0:09:55.120 --> 0:09:59.840 and kick out the legitimate DNS machine and replace it. No, 0:10:00.559 --> 0:10:03.760 it was very clever. They created a kind of malware, 0:10:04.480 --> 0:10:07.520 and the malware is essentially called d n s changer, 0:10:08.400 --> 0:10:12.680 and so DNS changer would change the DNS settings on 0:10:12.880 --> 0:10:16.520 your computer or other device, or even router, which was 0:10:17.160 --> 0:10:20.439 particularly nasty because if it changed on the router, then 0:10:20.520 --> 0:10:23.920 any device that connects through that router would be affected. Also, 0:10:24.679 --> 0:10:27.719 it's unlikely that you're going to have anti virus software 0:10:28.160 --> 0:10:31.240 on your router, although you might on your computer now. 0:10:31.360 --> 0:10:33.120 The way that they did this with the router was 0:10:33.160 --> 0:10:36.360 the easiest way, and it's the easiest way for someone 0:10:36.360 --> 0:10:38.800 to prevent it from happening to them. The way that 0:10:38.880 --> 0:10:41.240 worked on the router was that they just ended up 0:10:41.360 --> 0:10:45.080 using a list of generic user names and passwords that 0:10:45.120 --> 0:10:51.040 are that tend to be UMU administered over various routers. 0:10:51.080 --> 0:10:54.600 So you pick pick a router, like whatever router you 0:10:54.600 --> 0:10:57.920 you happen to use, that router tends to have a 0:10:57.960 --> 0:11:01.120 standard user name and standard password you are supposed to 0:11:01.200 --> 0:11:04.560 change once you install it into your home network, but 0:11:04.640 --> 0:11:07.400 a lot of people never get around to doing that. 0:11:07.800 --> 0:11:11.640 They install the the the router and then they don't 0:11:11.679 --> 0:11:14.120 bother changing the user name and password, which means that 0:11:14.200 --> 0:11:18.000 anyone who knows what the standard user name and password 0:11:18.040 --> 0:11:20.680 is for that brand of router could get access to 0:11:20.720 --> 0:11:23.720 that network. That's what they were doing in this case. 0:11:23.920 --> 0:11:27.240 But in order to change the computers themselves, not the router, 0:11:27.600 --> 0:11:30.160 what they had to do was convince people to download 0:11:30.240 --> 0:11:34.720 some malware and execute that. Now social engineering, Yeah, lots 0:11:34.760 --> 0:11:36.920 of different ways of doing that. Yeah, you know, there's 0:11:36.960 --> 0:11:41.760 the very standard way where they include some uh they 0:11:41.840 --> 0:11:44.400 put on on a website that you might encounter a 0:11:44.440 --> 0:11:48.120 little pop up that says, hey, you're anti virus software 0:11:48.160 --> 0:11:50.280 is out of date. Install this and we will scan 0:11:50.400 --> 0:11:54.400 your computer for viruses and free, yeah, for free. And 0:11:54.440 --> 0:11:58.120 in fact it really is a virus itself that installs 0:11:58.120 --> 0:12:00.200 to your computer. You know, you think you are trying 0:12:00.280 --> 0:12:03.400 to head off some sort of malware and in fact 0:12:03.440 --> 0:12:06.240 you're actually installing malware to your computer at the time. 0:12:07.160 --> 0:12:09.959 Or it could be through email attachments, you know, all 0:12:10.000 --> 0:12:14.360 the standard ways that malware propagates across the web, any 0:12:14.400 --> 0:12:16.920 of that would work to get this this particular kind 0:12:16.920 --> 0:12:20.640 of malware onto your machine. Once you installed it, whether 0:12:20.679 --> 0:12:24.079 it was through a trojan program or whatever, it would 0:12:24.080 --> 0:12:28.560 go and reset the DNS settings on your computer, and 0:12:28.679 --> 0:12:31.240 it would direct your computer to go to these rogue 0:12:31.360 --> 0:12:36.480 DNS servers as opposed to your Internet service providers DNS servers, 0:12:36.840 --> 0:12:39.679 because h I SP has its own right that passes 0:12:39.720 --> 0:12:44.079 the information up along the chain of command. So uh, 0:12:44.280 --> 0:12:46.760 you would bypass your I s P S servers. You 0:12:46.760 --> 0:12:48.760 would go to these rogue servers, and then you would 0:12:48.760 --> 0:12:52.240 be directed to whatever website they wanted to direct YouTube 0:12:52.280 --> 0:12:54.800 for any particular u r L. For some u r 0:12:54.960 --> 0:12:57.199 l s, you might just get the regular website you 0:12:57.440 --> 0:13:01.199 you're sent along and nothing bad happen. For other u 0:13:01.320 --> 0:13:03.440 r l s, you might be directed to a site 0:13:03.480 --> 0:13:05.920 that looks very similar to the one you wanted, but 0:13:06.160 --> 0:13:08.959 something isn't quite right, and it tends that again, they 0:13:08.960 --> 0:13:11.320 were just doing it for the advertising money. The scary 0:13:11.360 --> 0:13:13.600 thing is they could have done this for any other 0:13:13.679 --> 0:13:17.640 reason and actually tried to steal stuff directly from the user. 0:13:18.559 --> 0:13:20.800 Now in this case, that doesn't seem to be what 0:13:20.880 --> 0:13:23.760 they were up to. They were up to just redirecting 0:13:23.760 --> 0:13:27.240 that traffic. So you might think, well, that's annoying. I mean, 0:13:27.280 --> 0:13:28.800 I'm not going to get to the website I want 0:13:28.800 --> 0:13:31.840 to go to unless I type in the actual uh, 0:13:31.960 --> 0:13:36.040 numeric address physically, then I would go to it. But UH, 0:13:36.240 --> 0:13:37.960 while it's annoying that I wouldn't go to the site 0:13:37.960 --> 0:13:39.400 that I wanted to go to, at least they're not 0:13:39.440 --> 0:13:42.360 stealing from me. But they could have. They could have 0:13:42.440 --> 0:13:45.400 directed things so that you would go to dummy websites 0:13:45.440 --> 0:13:49.480 that look similar to official ones and put in a 0:13:49.559 --> 0:13:51.840 system where you type in your user name and password 0:13:52.120 --> 0:13:54.640 and they would log it. They could have logged it, 0:13:54.679 --> 0:13:57.839 they didn't. They could have logged that information, thus getting 0:13:57.880 --> 0:14:00.600 access to various accounts across the net. They could have 0:14:00.600 --> 0:14:04.480 gotten access to email accounts, bank accounts, you know, any 0:14:04.520 --> 0:14:08.600 other sort of anything that would require authorization. They could 0:14:08.679 --> 0:14:12.240 have done that. Uh, And what would probably have happened 0:14:12.240 --> 0:14:13.680 is that you would have logged in. Let's say that 0:14:13.720 --> 0:14:17.040 you try to go to your banks online banking site, 0:14:17.640 --> 0:14:19.920 and you might get a site that looks very much 0:14:20.160 --> 0:14:22.920 like your banks site. In fact, it might even look 0:14:22.960 --> 0:14:26.440 almost identical. Um, the address might look a little hinky, 0:14:26.880 --> 0:14:28.440 but if you were to type an years the name 0:14:28.440 --> 0:14:31.320 and password, likely you would get a response saying, oh, 0:14:31.640 --> 0:14:35.560 sites down for maintenance. But what's really happened is that 0:14:35.560 --> 0:14:38.080 that information has been logged by hackers, so that could 0:14:38.160 --> 0:14:41.560 have happened, or they could have directed you to a 0:14:41.680 --> 0:14:44.720 site where you would have been encouraged to download even 0:14:44.760 --> 0:14:49.240 more malware, perhaps a back door access programs that you 0:14:49.320 --> 0:14:51.280 are your computer would become part of a bot net 0:14:51.720 --> 0:14:56.880 or any other kind of of hacking tool. It's it's 0:14:57.000 --> 0:14:59.680 really the options are pretty much unlimited. Now. In this case, 0:14:59.720 --> 0:15:02.040 again it was just to redirect traffic. However, there were 0:15:02.080 --> 0:15:07.360 some other problems that would happen if you were affected 0:15:07.360 --> 0:15:10.200 by this virus. You might not you know, you might 0:15:10.240 --> 0:15:13.000 not have anyone stealing from your bank account or anything. 0:15:13.200 --> 0:15:15.560 But one of the things the virus does, which is 0:15:15.600 --> 0:15:19.640 pretty much standard operating procedure for viruses, is it turned 0:15:19.760 --> 0:15:23.320 off the features on your operating system and your anti 0:15:23.360 --> 0:15:28.080 virus from updating, so that you wouldn't be able to 0:15:28.120 --> 0:15:31.480 get the latest security patches that would prevent this this 0:15:31.680 --> 0:15:36.400 UH program from working. So first step pretty much of 0:15:36.440 --> 0:15:39.640 any malware is let's disable the stuff that can turn 0:15:40.000 --> 0:15:44.960 this off. So anything that would automatically turn the malware 0:15:44.960 --> 0:15:47.960 off was disabled. So that's a problem because it means 0:15:48.000 --> 0:15:53.360 that even if you aren't being actively preyed upon by 0:15:53.520 --> 0:15:58.120 these particular hackers, uh, future attacks could hit you much 0:15:58.120 --> 0:16:00.840 more easily because you are no longer protected it, yeah, 0:16:01.200 --> 0:16:03.680 which is pretty bad. That's what we call a bad 0:16:03.720 --> 0:16:07.000 thing and internet security. And they were about what four 0:16:07.040 --> 0:16:10.440 million people around the world and about a hundred countries 0:16:10.800 --> 0:16:13.280 that were affected by this, and then five thousand in 0:16:13.280 --> 0:16:16.040 the United States. And it wasn't just uh, you know, 0:16:16.160 --> 0:16:20.400 citizen users, it was also businesses, government, government computers. UM. 0:16:20.400 --> 0:16:22.360 I think there were even like a couple of computers 0:16:22.360 --> 0:16:26.280 over at NASA that were affected to and uh. And 0:16:27.120 --> 0:16:29.800 the good news that we have is that the FBI 0:16:30.040 --> 0:16:34.120 arrested these six Estonian nationals that were identified as being 0:16:34.240 --> 0:16:37.240 part of this running actually running this ring. Yeah, they 0:16:37.280 --> 0:16:38.800 were going to try to have them extradited into the 0:16:38.880 --> 0:16:43.080 United States. Yeah. And they've also taken over the rogue 0:16:43.160 --> 0:16:45.880 DNS servers they have identified as being part of this, 0:16:46.560 --> 0:16:50.440 and those rogue DNS servers are now acting like legitimate 0:16:50.520 --> 0:16:53.800 DNS servers, which is great. That means that as a user, 0:16:54.080 --> 0:16:56.240 when you try to visit a website, you should get 0:16:56.280 --> 0:17:00.000 what you're supposed to get. However, there's a problem because 0:17:00.000 --> 0:17:03.600 as your computer is still have if you're affected, your 0:17:03.600 --> 0:17:07.280 computer still is directing you to the wrong set of servers. 0:17:07.359 --> 0:17:10.200 You're still getting the right result, but you're going and 0:17:10.240 --> 0:17:12.800 you're not going to the regular chain of command that 0:17:12.840 --> 0:17:15.240 you should go to. And the FBI is not going 0:17:15.280 --> 0:17:18.800 to be running these servers forever, and in fact, in 0:17:18.800 --> 0:17:23.240 in July, they're going to turn them off. And once 0:17:23.280 --> 0:17:25.800 those turn off, if your computer is being directed to 0:17:25.840 --> 0:17:29.640 those DNS servers, you may not have any more Web access, 0:17:30.400 --> 0:17:33.240 at least not through typing in a normal u r L, 0:17:33.400 --> 0:17:35.520 because your computer is going to try and go through 0:17:35.520 --> 0:17:40.400 a pathway that doesn't exist anymore. So the important thing 0:17:40.400 --> 0:17:44.240 to do is to determine whether or not your computer 0:17:44.680 --> 0:17:47.720 has this infection, and if it does have the infection, 0:17:47.800 --> 0:17:51.480 to clear it up. And uh, it's the first one 0:17:51.560 --> 0:17:54.159 is easier than the second one. Yeah, the FBI actually 0:17:54.200 --> 0:17:58.359 set up a website designed to help you identify whether 0:17:58.440 --> 0:18:01.560 or not you have been affected. Yes, um, you can 0:18:01.600 --> 0:18:04.960 go to the FBI's website and follow the links to 0:18:05.000 --> 0:18:11.480 find out about whether or not your computer has this problem. 0:18:11.560 --> 0:18:14.000 And there's actually a couple different ways of doing it. 0:18:14.080 --> 0:18:16.639 There's they've they've set up a u r L where 0:18:16.680 --> 0:18:18.720 what it does is it pings a server and if 0:18:18.720 --> 0:18:22.160 it gets a positive results saying that you're fine. Uh, 0:18:22.200 --> 0:18:24.240 you get a screen that has this big green icon 0:18:24.320 --> 0:18:27.679 on it and says you're good. Um. If you're not fine, 0:18:27.760 --> 0:18:30.159 you get a big red icon which says this is 0:18:30.200 --> 0:18:32.199 saying that you're you know, it's going through one of 0:18:32.240 --> 0:18:36.560 the rogue DNS servers. They've also identified a range of 0:18:36.600 --> 0:18:41.119 the IP addresses that you know. You can check your 0:18:41.200 --> 0:18:43.600 DNS settings on your computer yourself. If you're using a 0:18:43.640 --> 0:18:46.560 Windows machine, you go to a run command and you 0:18:46.600 --> 0:18:50.359 type an IP configured slash all uh, and then that'll 0:18:50.400 --> 0:18:53.520 pull up your DNS settings and you can see what 0:18:53.760 --> 0:18:57.679 the what the numeric address is for the server that 0:18:57.760 --> 0:18:59.920 you go to, and if it falls within the rain 0:19:00.200 --> 0:19:02.920 that's been identified by the FBI, you know that your 0:19:03.040 --> 0:19:06.919 DNS settings are wrong. Clearing this up and getting rid 0:19:06.960 --> 0:19:09.920 of the malware is a little tricky. Uh. The easiest 0:19:09.960 --> 0:19:11.919 way I can think of to do it, if I 0:19:11.920 --> 0:19:14.320 were doing it myself, is going to a computer that 0:19:14.400 --> 0:19:19.600 I know has not been affected and downloading the latest 0:19:19.640 --> 0:19:23.320 anti virus software I can find and putting Most of 0:19:23.320 --> 0:19:27.000 them have an option where you can put a version 0:19:27.040 --> 0:19:30.800 of that onto a thumb drive. Do that, then take 0:19:30.840 --> 0:19:34.439 the thumb drive over to the infective machine and booted 0:19:34.480 --> 0:19:38.040 into safe mode and load up the antivirus software from 0:19:38.080 --> 0:19:40.960 the thumb drive, and that should be able. Depending upon 0:19:41.640 --> 0:19:43.720 the anti virus software, it should be able to scan 0:19:43.800 --> 0:19:47.399 it and remove it. Um. The FBI also points to 0:19:47.520 --> 0:19:52.400 several web assets that can help you if your computer 0:19:52.880 --> 0:19:54.640 does appear to be one of the ones that infected, 0:19:54.680 --> 0:19:57.320 and those may work very well for you. I tend 0:19:57.400 --> 0:19:59.920 to go with the anti virus approach whenever I can, 0:20:00.000 --> 0:20:04.639 and UM, it just I don't know, I don't know 0:20:04.680 --> 0:20:07.280 it is. I just have a preference for that as 0:20:07.320 --> 0:20:11.640 opposed to going like a web based route. Yea, um, 0:20:11.680 --> 0:20:14.760 but it is. It is fairly easy to uh to 0:20:14.800 --> 0:20:17.000 get rid of the problem in this case. It's not 0:20:17.040 --> 0:20:19.680 like some of the others where you have to UH 0:20:19.720 --> 0:20:23.440 reformat your hard drive to get it back. Yeah, there's 0:20:23.480 --> 0:20:28.080 there's something. Depending on how tech savvy you are, it's 0:20:28.080 --> 0:20:30.880 pretty easy. If you're not terribly tech savvy, it may 0:20:30.920 --> 0:20:32.919 be it may be worth it to take it to 0:20:33.119 --> 0:20:36.480 a computer professional to have them scan it and remove 0:20:36.520 --> 0:20:39.240 it and take care of it for you, because the 0:20:39.280 --> 0:20:42.000 more you mess with your computer settings, the more you 0:20:42.200 --> 0:20:48.280 may inadvertently cause some problems that can turn your machine 0:20:48.359 --> 0:20:52.439 into a nightmare. Um. And and sometimes depending on the malware, 0:20:52.520 --> 0:20:54.639 like if you've had this on your computer for a while, 0:20:55.200 --> 0:20:57.600 that might not be the only malware that's affecting you. 0:20:58.359 --> 0:21:01.359 You might have other problems, in which case, uh, you know, 0:21:01.400 --> 0:21:05.040 a simple scan and remove may not be enough. In 0:21:05.080 --> 0:21:07.919 a worst case scenario, you might have to do something 0:21:07.960 --> 0:21:11.280 like wipe your computer and reinstall the uprating system, in 0:21:11.280 --> 0:21:12.919 which case the first thing you want to do is 0:21:12.960 --> 0:21:15.040 back up as much of your data as you possibly 0:21:15.160 --> 0:21:19.280 can and then you do the wipe. But that even 0:21:19.320 --> 0:21:22.040 that is I mean, that's that's like a worst case 0:21:22.080 --> 0:21:26.280 scenario type of thing, and hopefully none of our listeners 0:21:26.320 --> 0:21:27.760 are in that. Well. First of all, hopefully none of 0:21:27.800 --> 0:21:30.560 our listeners have been affected by this malware. But if 0:21:30.600 --> 0:21:33.040 they have, hopefully it's not so severe that and they 0:21:33.080 --> 0:21:37.440 don't have other forms of malware that they can't you know, uh, 0:21:37.600 --> 0:21:41.280 take care of it themselves. Yeah. Um. And of course 0:21:41.280 --> 0:21:42.840 it's always a good idea to back up your hard 0:21:42.920 --> 0:21:45.680 drive on a regular basis anyway, just to make sure 0:21:45.760 --> 0:21:48.520 they always back up your hard drive, to to make 0:21:48.560 --> 0:21:51.679 sure that you have a version of your operating system 0:21:52.119 --> 0:21:54.119 uh installed on there that you can go back to 0:21:54.200 --> 0:21:58.040 that you know is not infected at least hopefully. Yeah. 0:21:58.880 --> 0:22:01.159 But that's that's that's pretty impressive. I mean, the FBI 0:22:01.240 --> 0:22:04.560 has really been promoting the fact that they they had 0:22:04.560 --> 0:22:07.760 this success in taking down or apparent success I should say, 0:22:07.800 --> 0:22:11.959 and taking down this uh this ring, this ring, because um, 0:22:12.000 --> 0:22:13.879 you know this is this is pretty significant. They took 0:22:13.920 --> 0:22:19.399 away traffic from uh legitimate websites in addition to making 0:22:19.400 --> 0:22:24.080 money for themselves with the the alternate fake websites. Um. 0:22:24.080 --> 0:22:27.760 And it does expose the fact that most people are 0:22:27.800 --> 0:22:31.359 are you know, still having to uh to think about 0:22:31.359 --> 0:22:34.760 what they do because they they may very well be 0:22:34.840 --> 0:22:37.080 letting somebody in. It could have been a lot worse 0:22:37.080 --> 0:22:41.399 than it was. Yeah, exploiting the DNS system, which again 0:22:41.520 --> 0:22:47.040 I know, redundant at M machine, exploiting that pin number, um, 0:22:47.080 --> 0:22:49.960